Process for generating a digital signature and process for checking the signature

ABSTRACT

A method for generating a digital signature s of a message m using a secret key including at least two large prime numbers p, q is provided. It is provided that s is the zero of the polynomial P(x)−m modulo n, P(x) being any permutation polynomial modulo n.

FIELD OF THE INVENTION

The present invention relates to a method for generating a digital signature of a message using a secret key including at least two large prime numbers, as well as to a method for verifying the signature.

BACKGROUND INFORMATION

Public-key signature methods are described in publications by Diffie and Hellmann (W. Diffie, M. E. Hellmann, “New Directions in Cryptography”, IEEE Transactions on Information Theory, vol. IT-22, November 1976, pages 644-654) and by Rivest, Shamir and Adleman (R. Rivest, A. Shamir and L. Adleman, “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems”, Communications of the ACM, vol. 27, no. 2, February 1978, pages 120-126, RSA methods). These conventional methods utilize two keys, one of which is used for signing a message and another for verifying this signature. A secret key known only to the sender of the message is used for signing, while a public key is used for verifying the signature. Such public-key signature methods are used predominantly in data communications via electronic media, the digital signature being used as a substitute for a hand-written signature. The public key enables the recipient of the message to verify the authenticity of the signature and, thus, of the document transmitted to him or her. Examples of applications of the aforementioned signature methods have been described in detail in A. Beutelspacher, “Kryptologie”, (Cryptology) Vieweg-Verlag 1994.

German Patent application No. 195 13 896 describes a public-key signature method which uses a polynomial, whose coefficients are formed from the message to be signed and from a random number. From the thus formed polynomial, two further polynomials are derived, which must include at least one zero in a finite field, because these are used to form the signature. If this is not the case, the described method must be repeated with a different random number.

Schwenk J. et al.: “Public Key Encryption and Signature Schemes Based on Polynomials over Z_(n) Advances in Cryptology-Eurocrypt, 1996 International Conference on the, Theory and Application of Cryptographic Techniques, Saragossa, May 12-16, 1996, May 12, 1996, Maurer U. (ed), pages 60-71, describes a method for generating a digital signature of a message, this being accomplished by a secret key comprising at least two large prime numbers and the digital signature being the zero value of a polynomial P(x)−m modulo n. General polynomials f(x) are used as polynomials. Although the zero value is discovered when the digital signature is decrypted, it has become evident in the case of general polynomials f(x) that this zero value is not unique, i.e. the digital signature cannot be uniquely generated.

Varadharajan, V.: “Cryptosystem Based on Permutation Polynomials” International Journal of Computer Mathematics, 1988, London, vol. 23, no. 3-4, pages 235-250, describes a use of permutation polynomials for encrypting a message. A disadvantage, however, is that only those permutation polynomials can be used for which there is an inverse function.

Therefore, an object of the present invention is to provide a signature method for signing a message, where the method avoids the mentioned disadvantage, exhibits a level of security and speed of execution comparable to the existing methods, and, in this context, permits a valid signature to be generated at all times.

Signature methods which use polynomials over the ring of numbers modulo of a number n made up of at least two large prime numbers are already known from the publications described above. Other examples are those methods which are based on so-called Dickson polynomials (W. B. Müller, R. Nöbauer, Cryptanalysis of the Dickson scheme. Proc. Eurocrypt 8S, Lecture Notes in Computer Science, vol, 219, 1986, pages 50-61). The present invention goes beyond the teachings of the mentioned papers to the extent that the method for generating a signature is substantially more general in nature and makes it possible to employ other classes of polynomials as well.

SUMMARY OF THE INVENTION

The object of the present invention is achieved in that a zero value s of the polynomial P(x)-m mod n (or, equivalent thereto, a solution of the equation P(x)'m mod n) is calculated. P(x) is a permutation polynomial modulo n (see Lidl and Niederreiter, Finite Fields, Encyclopedia of Mathematics, vol. 20, Cambridge University Press 1983); and s represents the digital signature of the message m.

A valid signature s of the message m is produced in that a product n is formed from the two prime numbers p, q, and the digital signature s is determined by the equation s=b·u·p+a·v·q mod n and, on the basis of the equation 1=u·p+v·q, values u, v and values a, b are calculated using the extended Euclidean algorithm using equation ggT(P(x)−m, x ^(p) −x) mod p=x−a ggT(P(x)−m, x ^(q) −x) mod q=x−b, and P(x) is any permutation polynomial.

In a further example embodiment of the present invention, the secret key is formed by the number (p−1) (q−1)+1 from the prime numbers p and q, and digital signature s is formed according to the equation ggT(P(x)−m, x ^(((p−1)(q−1)+1)) −x) mod n=x−s

If permutation polynomials over a finite field are used for P(x), then the greatest common divisor, i.e. the signature, is a linear factor. Equally, it is possible, instead of the aforementioned number (p−1)(q−1)+1, to use its equivalent number which is calculated as follows: constant·kgV((p−1),(q−1))+1

In accordance with another embodiment of the method according to the present invention, generalized RSA polynomials of the form rx^(e)+s mod n or Chebyshev polynomials T_(e)(x) mod n or Dickson polynomials or, alternatively, a combination of these polynomials is used as permutation polynomials P(x). Chebyshev polynomials are described, for example, in I. Schur, “Arithmetisches über die Tschebyscheffschen Polynome”, (Arithmetic Aspects of Chebyshev Polynomials) in Gesammelte Abhandlungen, (Collected Treatises) volume III, pp. 422-453, Springer-Verlag, Berlin, Heidelberg, New York, 1973.

The present invention may provide a method for storing the manner in which the Chebyshev, generalized RSA, and/or Dickson transformation are consecutively executed, in the form of a vector, as part of the public key.

Especially preferred is an implementation of the method in which permutation polynomials of the form rx^(e)+s mod n and ggT(e,(p²−1)(q²−1))=1 are nested with Dickson polynomials.

Another embodiment of the present invention provides for using permutation polynomials of the form P(x)=p ⁻¹(x)o x ^(e) o p(x) mod n,

-   -   p⁻¹(x) being the inverse polynomial of p(x),     -   p⁻¹(x) and p(x) being permutation polynomials modulo n, it         holding that ggT(e,(p−1)q−1))=1, and the symbol “o” symbolizing         the consecutive execution of the associated function, such as         A(x) o B(x)=A(B(x)).

DETAILED DESCRIPTION

The public-key signature method according to the present invention based on the mathematical problem of factoring two large prime numbers. Therefore, two large prime numbers are used for the secret key, and the public key is formed from the product of those two numbers.

It is preferable for the method of the present invention that, in addition to the two prime numbers, use is made of permutation polynomials defined over a ring Z_(n). A permutation polynomial over Z_(n) is a polynomial which, considered as a function, induces a permutation of the set {0.1. . . n−1}. An overview of the permutation polynomial theory is provided in the book by Lidl and Niederreiter “Finite Fields”, Encyclopedia of Mathematics, vol. 20, Cambridge University Press 1983.

Therefore, in the public-key signature method, two large prime numbers p and q are used for the secret key. The public key is made up of a permutation polynomial P(x) and product n of prime numbers p and q.

If a message m is to be signed by a sender, then, first of all, the greatest common divisor of the polynomials p(x)=P(x)−m mod p and x^(p)−x over the finite field GF(p) is formed using the Euclidean algorithm Since p(x) is a permutation polynomial, the greatest common divisor (“ggt”) results as a linear factor and it provides that ggt(p(x), x ^(p) −x)=x−a.

In the same manner, the greatest common divisor of the polynomials p(x)=P(x)−m mod q and x^(q)−x over the finite field GF(q) is formed. Once again, p(x) is a permutation polynomial, with the result that the greatest common divisor is a linear factor which is calculated as follows ggt(p(x), x ^(q) −x)=x−b

Using the extended Euclidean algorithm, the relation 1=up+vq is calculated, with the result that, using the determined values a and b, it is possible to calculate the signature of the message m with s=b·u·p+a·v·q.

To allow the recipient of the message m to verify the thus formed signature, the public key is used which includes the permutation polynomial P(x) and the product n of the prime numbers p, q. For this purpose, the polynomial P(x)−m mod n is evaluated at the place value s with the result that, if the equation P(s)−m mod n=0 is satisfied, the validity of signature s is confirmed.

The method according to the present invention for signing a message and for verifying this signature is explained in greater detail in the following with reference to a numerical example, the numerical values chosen being very small for the sake of clarity. The prime numbers p=1237 and q=5683 are chosen as the secret key, with the result that the product n=p·q=7029871. The public key is given by the polynomial P(x)=2345678x⁵+3456789 mod n and the product n. The message is to be signed m=1234567. With the product n, the polynomial P(x) results as P(x)−m=2345678x ⁵+2222222

Next, the two polynomials p(x)=P(x)−m mod p=326x ⁵+570 and q(x)=P(x)−m mod q=4282x ⁵+169 are formed. Thereafter, the greatest common divisors of the polynomials p(x) and q(x) can be calculated using the polynomials x^(p)−x and x^(q)−x, respectively: x−a=ggT(326x ⁵+570, x ¹²³⁷ −x) mod p=x+211 x−b=ggT(4282x ⁵+169, x ⁵⁶⁸³ −x) mod q=x+864

This yields the values for a=1026 and b=4819.

From the extended Euclidean algorithm, with the relation 1=up+vq, one obtains the representation −2683·p+584·q=1 where u −2683 and v=584 (see E. R. Berkkamp, Algebraic Coding Theory, Aegean Park Press, 1984, pp. 21-24).

With these values, it is now possible to calculate the signature s: s=−2683·p·b+584·q·a mod n=2022284.

If the message m to be signed is greater than the product n, then the message is broken up into blocks which are individually signed, or a so-called hash value of the message m is signed.

To verify this signature, the public key can be used which is formed from the polynomial P(x) and the product n. To verify the signature, the equation P(s)−m mod n=0 must be satisfied. With the numerical values, the result is that s is a valid signature of the message m.

It is also possible to use more than two prime numbers as the secret key, it then being necessary for the described method to be executed analogously. 

1. A method for generating a digital signature (“s”) of a message (“m”), comprising the step of: determining a secret key as a function of a first large prime number (“p”) and a second large prime number (“q”); and generating the digital signature as a function of p and q, the digital signature being a zero value of a polynomial P(x)−m modulo n, wherein: n is a product of p and q, and P(x) is a permutation polynomial modulo n, the permutation polynomial being a Chebyshev polynomial represented as T(x) mod n, s=b·u·p+a·v·q mod n, u·p+v·q=1, and a, b, u and v are value which are calculated with an extended Euclidean algorithm using the equations: ggT(P(x)−m, X ^(p) −x) mod p=x−a, and ggT(P(x)−m, X ^(q) −x) mod q=x−b.
 2. A method for generating a digital signature (“s”) of a message (“m”), comprising the step of: determining a secret key as a function of a first large prime number (“p”) and a second large prime number (“q”); and generating the digital signature as a function of p and q, the digital signature being a zero value of a polynomial P(x)−m modulo n, wherein: n is a product of p and q, and P(x) is a permutation polynomial modulo n, the permutation polynomial being a Dickson polynomial, s=b·u·p+a·v·q mod n, u·p+v·q=1, and a, b, u and v are values which are calculated with an extended Euclidean algorithm using the equations: ggT(P(x)−m, X ^(p) −x) mod p=x−a, and ggT(P(x)−m, X ^(q) −x) mod q=x−b.
 3. A method for generating a digital signature (“s”) of a message (“m”), comprising the steps of: determining a secret key as a function of a first large prime number (“p”) and a second large prime number (“q”); and generating the digital signature as a function of p and q, the digital signature being a zero value of a polynomial P(x)−m modulo n, wherein: n is a product of p and q, and P(x) is a permutation polynomial modulo n,  s=b·u·p+a·v·q mod n, u·p+v·q=1, and a, b, u and v are values which are calculated with an extended Euclidean algorithm using the equations: ggT(P(x)−m, X ^(p) −x) mod p=x−a, and ggT(P(x)−m, X ^(q) −x) mod q=x−b, the permutation polynomial being a combination of a Chebyshev polynomial, a Dickson polynomial and a particular polynomial having the form of r·x^(e)+s which is an RSA polynomial, and wherein r and s are constant variables, and e is an exponent.
 4. A method for generating a digital signature (“s”) of a message (“m”), comprising the steps of: determining a secret key as a function of a first large prime number (“p”) and a second large prime number (“q”); generating the digital signature as a function of p and q, the digital signature being a zero value of a polynomial P(x)−m modulo n; consecutively executing at least one of a Chebyshev polynomial, a Dickson polynomial and a generalized RSA polynomial to form a particular result; and storing the particular result in the form of a vector as a portion of a public key for the digital signature; wherein: n is a product of p and q, and P(x) is a permutation polynomial modulo n,s  s=b·u·p+a·v·q mod n, u·p+v·q=1, and a, b, u and v are values which are calculated with an extended Euclidean algorithm using the equations: ggT(P(x)−m, X ^(p) −x) mod p=x−a, and ggT(P(x)−m, X ^(q) −x) mod q=x−b.
 5. A method for generating a digital signature (“s”) of a message (“m”), comprising the steps of: generating a secret key according to one of i) an equation (p−1)(q−1)+1, and ii) an equation kgV((p−1), (q−1))+1, where p is a first large prime number and q is a second large prime number; and generating the digital signature as a function of p and q, the digital signature being a zero value of a polynomial P(x)−m modulo n, n being determined as a function of the first large prime number and the second large prime number, the digital signal being determined according to the equation: ggT(P(x)−m, x ^(((p−1)(q−1)+1) −x) mod n=x−s, wherein the permutation polynomial is a Chebyshev polynomial represented as T(x) mod n.
 6. A method for generating a digital signature (“s”) of a message (“m”), comprising the steps of: generating a secret key according to one of i) an equation (p−1)(q−1)+1, and ii) an equation kgV((p−1), (q−1))+1, where p is a first large prime number and q is a second large prime number; and generating the digital signature as a function of p and q, the digital signature being a zero value of a polynomial P(x)−m modulo n, n being determined as a function of the first large prime number and the second large prime number, the digital signal being determined according to the equation: ggT(P(x)−m, x ^(((p−1)(q−1)+1)) −x) mod n=x−s, wherein the polynomial is a Dickson polynomial.
 7. A method for generating a digital signature (“s”) of a message (“m”), comprising the steps of: generating a secret key according to one of i) an equation (p−1)(q−1)+1, and ii) an equation kgV((p−1), (q−1))+1, where p is a first large prime number and q is a second large prime number; and generating the digital signature as a function of p and q, the digital signature being a zero value of a permutation polynomial P(x)−m modulo n, n being determined as a function of the first large prime number and the second large prime number, the digital signal being determined according to the equation: ggT(P(x)−m, x ^(((p−1)(q−1)+1)) −x) mod n=x−s, wherein the permutation polynomial is a combination of a Chebyshev polynomial, a Dickson polynomial and a particular polynomial having the form of r·x^(e)+s which is an RSA polynomial, and wherein r and s are constant variables, and e is an exponent.
 8. A method for generating a digital signature (“s”) of a message (“m”), comprising the steps of: generating a secret key according to one of i) an equation (p−1)(q−1)+1, and ii) an equation kgV((p−1), (q−1))+1, where p is a first large prime number and q is a second large prime number; generating the digital signature as a function of p and q, the digital signature being a zero value of a polynomial P(x)−m modulo n, n being determined as a function of the first large prime number and the second large prime number, the digital signal being determined according to the equation: ggT(P(x)−m, x ^(((p−1)(q−1)+1)) −x) mod n=x−s; consecutively executing at least one of a Chebyshev polynomial, a Dickson polynomial and a generalized RSA polynomial to form a particular result; and storing the particular result in the form of a vector as a portion of a public key for the digital signature.
 9. A method for verifying a digital signature (“s”) of a message (“m”), comprising the steps of: receiving a digital signature, the digital signature being determined as a function of a secret key, the secret key being determined according to one of i) an equation (p−1)(q−1)+1, and ii) an equation kgV((p−1), (q−1))+1, where p is a first large prime number and q is a second large prime number, the digital signature being determined as a function of p and q, and being a zero value of a polynomial P(x)−m modulo n, n being determined as a function of the first large prime number and the second large prime number, the digital signal being determined according to the equation: ggT(P(x)−m, x ^(((p−1)(q−1)+1)) −x) mod n=x−s; and verifying if the digital signature is valid by determining if the following equation is satisfied: P(s)−m mod n=0. 